Tags

Category: Journal Article

Cyberspace operations have a far-reaching, permanent impact on military operations. At the conceptual level, the U.S. Department of Defense (DoD) now recognizes five warfighting domains: land, maritime, air, space, and cyber.1 While there are examples of how cyberspace support to military operations have advanced over the past decade, one gap has not been addressed in detail—operational planning.

One operation, one mission, yet it requires a myriad of extraordinary experts—each unique and each integral to an RPA operation that depends on well over a hundred individual commercial and military network connections, dozens of integrated hardware systems, miles of fiber-optic cable, significant satellite bandwidth, and millions of lines of software code. Welcome to the cyber domain: an environment of intellect, integration, and, for good as well as ill, complex interdependency.

Achieving global cyber superiority or global cyber control by any organization is no longer technically possible. Instead, the proper overarching objective should be dominance of one or more of the elements of cyberspace of most importance to the organization at any given time.1 The successful nation is the one that achieves and maintains strategic and tactical dominance in its critical elements of cyberspace when required.2 Two important questions related to the strategic aspects of cyber conflict are: what should be the basic technological building block(s) for strategic cyber defense to assure dominance of one’s own critical elements of cyberspace, and what are the classes of strategic data target(s) strategic cyber defense must protect?

The ability to retaliate against cyber attackers—irrespective of the legalities of such actions—appears to have gained traction in the United States government, but is it a practical response for achieving tactical and strategic objectives in cyberspace? Attribution limitations, collateral damage considerations, the Internet’s global archi- tecture, and potential event escalation make the challenges of engaging in active cyber defense an ineffective course of action destined to achieve limited tactical successes at best; and it risks accelerating digital as well as physical conflict. Too many variables prevent active cyber defense deter- ring or punishing adversaries in cyberspace. For that reason, this article advocates a more productive solution—aggressive cyber defense—to frustrate attackers via nondestructive or damaging activities.

As international scrutiny remains focused on the Islamic Republic of Iran’s nuclear program, a capability is developing in the shadows inside Iran that could pose an even greater threat to the United States. The 2010 National Security Strategy discusses Iran in the context of its nuclear program, support of terrorism, its influence in regional activities, and its internal problems. There was no mention of Iran’s cyber capability or of that ability to pose a threat to U.S. interests. This is understandable, considering Iran has not been a major concern in the cyber realm. Furthermore, Russia and China’s cyber activities have justifiably garnered a majority of attention and been widely reported in the media over the past decade. Iran’s cyber capabilities have been considered third-tier at best. That is rapidly changing. This report discusses the growing cyber capability of Iran and why it poses a new threat to U.S. national interests.

Outer space has enjoyed two decades of fairly peaceful development since the Cold War, but once again it is becoming more competitive and contested, with increased militarization. Therefore, it is important the United States maintain its space superiority to ensure it has the capabilities required by modern warfare for successful operations. Today is different from earlier periods of space development,1 because there is not a blatantly overt arms race in space,2 but instead a covert challenge to US interests in maintaining superiority, resilience, and capability. A finite number of states consider themselves geopolitical actors; however, as long as the United States maintains space superiority, they must play according to a set of rules written without their consent and forced upon them. US space assets monitor the actions of authoritarian regimes and their pursuit of regional influence—a practice these regimes find quite disturbing. Therefore, any degradation or limitation of US space-borne capabilities would be seen as a successful outcome for such regimes. Cyber warfare offers these adversarial actors the opportunity to directly or indirectly destroy US space assets with minimal risk due to limited attribution and traceability. This article addresses how they might accomplish this objective. We must begin by examining US reliance on space before focusing on space clutter and the means an adversary might use to exploit it. While satellite protection is a challenge, there are several solutions the United States should consider in the years ahead.

Georgian-Russian hostilities in South Ossetia have generated a substantial amount of analysis and speculation regarding the accompanying cyber conflict.5 Most of the focus has centered on identifying the parties who conducted the cyber attacks. The Georgian cyber event provides an intriguing opportunity to examine a more subtle and perhaps overlooked aspect of cyber conflict—the concept of cyber neutrality. The Georgian case raises two fundamental questions: (1) How did the combined actions of the Georgian government and US information technology (IT) companies impact American status as a cyber neutral? (2) Can the United States remain neutral (or cyber neutral) during a cyber conflict?

Technical and operational realities make it prohibitively difficult to adapt a Cold War paradigm of “deterrence stability” to the new domain of cyber warfare. Information quality problems are likely to forestall the development of a cyber equivalent of the strategic exchange models that assessed deterrence stability during the Cold War. Since cyberspace is not firmly connected to geographic space the way other domains are, modeling is extremely difficult, muddling the neat conceptual distinctions between “counterforce” (military) and “countervalue” (civilian) targets. These obstacles seriously complicate US planning for a credible cyber “assured response” and present substantial challenges to potential adversaries contemplating cyber attacks against US interests. To create a maximally effective deterrent against cyber threats, the United States should seek to maximize the challenges for possible opponents by creating a cyber “strategy of technology,” emphasizing resilience, denial, and offensive capabilities.

How difficult is cyber deterrence? Some theorists argue that it is quite difficult. These skeptics make valid points; the domain of cyberspace does pose unique challenges for an effective deterrence strategy. But treating cyber deterrence only theoretically—that is, ignoring the geopolitical context in which cyber attacks occur—unintentionally exaggerates its difficulty. Cyber deterrence proves easier in practice than it seems to be in theory because cyber attacks are ultimately inseparable from the physical domain, where deterrence has a long-demonstrated record of success.

Many cyber experts say the United States is woefully ill prepared for a sophisticated cyber attack and that each passing day brings it one step closer to a potential virtual Armageddon. While the problems hindering the development of an effective and comprehensive cyber deterrence policy are clear (threat measurement, attribution, information-sharing, legal codex development, and poor infrastructure, to name several), this article focuses on one aspect of the debate that heretofore has been relatively ignored: that the futility of governmental innovation in terms of defensive efficacy is a relatively constant and shared weakness across all modern great powers, whether the United States, China, Russia, or others. In other words, every state that is concerned about the cyber realm from a global security perspective is equally deficient and vulnerable to offensive attack; therefore, defensive cyber systems are likely to remain relatively impotent across the board.